Elasticsearch and Liferay Enterprise Search Security Advisory: August 23, 2021
The following issues may affect the functionality of your Liferay DXP, Liferay Enterprise Search environment and your Elastic Stack.
Deployments which might be impacted
- Elasticsearch versions 7.11.0 to 7.13.4
Vulnerability Information
Elasticsearch Document/Field Level Security issue (ESA-2021-18)
A flaw was discovered in Elasticsearch where document and field level security was not applied to searchable snapshots. This could lead to an authenticated user gaining access to information that they are unauthorized to view.
Affected Versions:
Elasticsearch versions 7.11.0 to 7.13.4
Solutions and Mitigations:
Users who are using document or field level security with searchable snapshots should upgrade to version 7.14.0
CVSSv3: 5.7 - AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CVE ID: CVE-2021-22147
Additional Information
Liferay's Elasticsearch connectors and out-of-the-box features are not using Document or Field Level Security
Search Engine Compatibility Matrix
Reference the information here for the detailed Elasticsearch compatibility including the compatible connector versions and required patch levels.
Vendor References
https://discuss.elastic.co/t/elastic-stack-7-14-0-security-update/280344
Elastic, Elasticsearch, and X-Pack are trademarks of Elasticsearch BV, registered in the U.S. and in other countries.